malwarewikiaorg-20200223-history
Pixel
}} Pixel is a large family of very small prepending .COM-infecting file viruses on DOS. Only two of its known variants is more than a kilobyte long. One is as small as 131 bytes, while a significant number are around 300 and 800 bytes. Behavior When executed, the virus directly prepends its 847 bytes to all .com files in the current directory. It contains the string "IV", which it uses to check if a file is already infected. The actual virus only takes 591 bytes and the rest is junk. The virus code contains a counter for the times the virus has been executed. When this counter reaches 5, it reads the system time and if the value that it finds is odd, it displays the message: "Program sick error:Call doctor or buy PIXEL for cure description". Variants The original Pixel was mostly uninteresting, aside from the fact that it was one of the few prepending rather than appending viruses. A few of its variants added some interesting features to the virus, even more than Skulls. Cancer This 740-byte version does not make use of the "IV" string, but does contain it. It was first detected in Bulgaria. It was discovered around the same time as the original virus. It displays (uncensored) "F***ing H**l: What a smelly **s hole!!Do you want to f**k it!!!" and "HaHaHa... What a Good Friday!!". There is a 936-byte variant that has "WB" in the place of "IV". Other variants (892, 897, 899 and 905 bytes long) omit the "HaHaHa... What a Good Friday!!" string. Cheef On the 3rd of every month, it erases the FAT and displays the message "Happy Birthday,Cheef!". Subvariants are 297 and 300 bytes long. The subvariant Cheef.300.B contains Russian text: Помните о ВИРУСАХ!!!! (Remember the VIRUSES). Hydra There are at least nine subvariants of this variant. The original (with no version number) is 736 bytes; Version 1 is 403 bytes; 2- 343 bytes; 3- 342 bytes; 4- 340 bytes; 5- 391 bytes; 6- 372 bytes; 7- 368 bytes; 8- 495 bytes. Some versions delete all .exe files in the current directory, while others place the encrypted text "Who is John Galt?" into an .exe, which is decrypted and displayed when the file is run. They may also display the text "HYDRA Copyright © 1991 by C.A.V.E. HYDRA Watch for the many heads. The first eight are easy to find and kill. Their replacements will be more sophisticated. © 1991 - C. A. V. E.". When it runs out of .com files to infect, version 8 overwrites 4 .exe files with a 90-byte trojan. Pixel.Ill The first time this 573-byte variant is executed, it hooks INT 1Ch, but does not infect anything and returns control to the host program. The next time it is executed, it checks INT 1Ch for an ID byte that exists in the virus's INT 1Ch handler. If it finds the value, it will infect .com files. Password These 1,268 and 1,271-byte variants display the text "ENTER THE PASSWORD:" when executed. It waits for the user to enter "Ken Sent Me". If anything else is entered, it displays "YOU HAVE ENTERED THE WRONG PASSWORD!!" and returns to DOS. It also contains text that is not displayed: "PreComFileRunSyndrome1993" followed by a long string of "0"'s. Self A.K.A. Polish first 8 bytes of this 457-byte variant are random instructions PUSH CX - POP CX, PUSH DX - POP DX, PUSH DS - POP DS, PUSH ES - POP ES, which may cause the virus to display random characters when an infected file is executed. A 550-byte subvariant may delete .exe files and remove "read-only" attributes from some files. Others *'Pixel.251' *'Pixel.295', 299, 342 and 345 are similar to the original, except the length. 850 and another 345-byte variant are similar, with the exception of "WB" in the place of "IV". *'Pixel.283'- displays "!What a stupid you are !!!!!!!!" and uses "WB" in the place of "IV". *'Pixel.761'- contains the text "LiquidCode", which is never displayed. *'Pixel.779' *'Pixel.837'- displays "I love you so much!!! -- Francis". *'Pixel.852' and 854- contain text in Cyrillic (apperantly Serbian) "Владко и негови— ЉаЉко !". There is more, but we cannot find the correct encoding for it. Both use "SS" in the place of "IV". *'Pixel.877'- displays "Sector not found error fucking defoult drive! Please buy me a new disk drive!". *'Amstrad'- displays text "Buy AMSTRAD it is THE CHEAPEST COMPUTER thatyou can buy". *'Hello'- 847 bytes, displays "Hello, John Mcafee,please uprade me.Bests regards,Jean Luz". *'Meditation'- 299 bytes, displays text "Software Failure. Task Held. Guru Meditation". *'NearEnd'- 847 bytes, displays "THE END IS NEAR!! THE SIGNS OF THE BEAST ARE EVERYWHERE!!". *'Pixie'- contains text that is not displayed: "The Pixie Virus v1.0 - Written by NegativX - Copyright © 1991, -SiTT-". *'Rosen'- this is the smallest variant at 131 bytes. It displays nothing, but can be identified with the text ÉoR beginning at offset 3. *'RV1'- there are at least two subvariants of this variant. One 847-byte variant contains the text "═!═ En tu PC hay un virus RV1, y ésta es su quinta generación". Another 296-byte variant contains the same text, but without any diacritic marks. It means, "In your PC is the virus RV1, and this is its fifth generation". *'Viki'- also known as V-277, this variant checks for "UM" rather than "IV". It was discovered in spring of 1990. *'Wet'- these 257 and 275-byte variants display the text "Fucking hell:You wet pussy". They use "WB" in the place of "IV". Name Pixel gets its name from the fact that the source code for a program to create the virus was first published in a Greek magazine named "Pixel". It is also known as Amstrad because a variant contains an "advertisement" for Amstrad Computers, a British brand sold mostly in Britain and Europe. Origin The virus was actually first found in the wild in Bulgaria. It was traced to a Greek student who got the virus from Pixel, a Greek computer magazine. The magazine published a BASIC program that generates a .com file containing the virus. The virus's origin is unclear befor that. Sources Vesselin Bontchev, Morton Swimmer. Bulgarian Academy of Science, Virus Test Center, University of Hamburg, Computer Virus Catalog 1.2: "Amstrad" Virus. 1990.06.11 Kaspersky Lab, Virus.DOS.Pixel.257. F-Secure Antivirus, F-Secure Virus Descriptions : Pixel. VIRUS-L Digest, Volume 3 : Issue 33. 1990.02.07 Patricia Hoffman. VSUM, Amstrad. Category:Virus Category:DOS virus Category:DOS Category:Virus from 1980s